Introduction

Welcome to the Unit API! Our documentation will walk you from the basics (authentication, request structure) to using and creating financial products (accounts, cards, payments etc.).

Unit treats each client as a standalone organization. You may log into the Unit Dashboard to manage your organization's API tokens, users, applications, customers, accounts and more.

Ready to get started? Sign up here to receive immediate access to our Sandbox and start building with Unit.

The introduction covers basic concepts you should be familiar with in order to make the most out of the platform.

Environments#

Our API and Dashboard are available in two environments:

Name	Dashboard URL	API URL
Sandbox	https://app.s.unit.sh/	`https://api.s.unit.sh/`
Production	Please contact Unit	Please contact Unit

The sandbox environment contains special API operations that allow you to easily test and simulate different activities, from incoming payments to card spend. You can find the full reference under Simulations.

SDKs#

Unit maintains a Node.js (Typescript) SDK on Github that wraps all resources and API endpoints. We are actively working on SDKs for additional languages.

Postman Collection#

You can interact immediately with the Unit API via Postman.

To get started, import the Unit API Postman Collection into Postman, either by link or by downloading and importing the file. For more information, see the following under the Postman help: Importing Data into Postman.

The collection contains two variables:

Key	Value
`token`	Your API Token. You can create it from the API Tokens page on the Unit Dashboard.
`server_url`	Initially set to the sandbox environment.

JSON Schema#

You can download an archive with JSON Schemas for Unit API.

You can use one of the libraries that generate types from JSON schemas - see table below for examples of common language specific libraries.

Language	Library
NodeJS / TypeScript	[json-schema-to-typescript] (https://www.npmjs.com/package/json-schema-to-typescript)
Python	yacg (Yet Another Code Generation)
PHP	php-code-builder

Authentication#

Unit's API uses OAuth 2.0 Bearer Token to authenticate requests. All API calls must include a bearer token.

caution

An invalid, missing or expired token will result in HTTP 401 Unauthorized responses.

Example:

GET /accounts HTTP/1.1Host: api.s.unit.shAuthorization: Bearer v2.public.eyJyb2xlIjoib3JnIiwidX...

Tokens#

Unit Clients can use 2 types of API tokens:

Org API tokens are broad, system level API tokens, that are not restricted to a specific end customer.
Customer Tokens are end-customer specific, and only allow access to resources associated with a specific customer.

When a token is created, it is assigned a set of Scopes The scopes define the resources that can be accessed using that token, and the access level (read / write) that will be allowed using that token.

Some actions you can execute using Unit’s API are considered sensitive - as they are related to movement of funds. Sensitive actions and require Two Factor Authentication.

We recommend using Customer Tokens to access sensitive scopes, for a couple of reasons:
- They include built-in Two Factor Authentication (OTP) and expiry (customizable, up to 24 hours), so you don't have to implement it.
- They deny access to all resources that aren't associated with the authenticated customer. If a customer token with access to sensitive scopes is compromised, the impact is restricted to the specific customer. If an org API token with access to sensitive scopes is compromised, the impact could be far greater.
You are required to use a customer token in order to access and execute actions that are covered by PCI compliance (card related data and actions, including activating the card, setting and changing the PIN, and revealing the card number and CVV2 for virtual cards). You cannot rely on your own two factor authentication and Org API tokens for that purpose, unless you are PCI level 1 compliant.
If you would like to rely on your own two factor authentication for all non-PCI related sensitive actions, you may do so, and use an Org API token to authenticate with the Unit API. A successful two factor authentication is valid for up to 24 hours, and you responsible for re-authenticating the customer when needed.

note

When using a Customer Token, API calls may be made directly from your front-end (browser or app).

Rate Limits#

Our rate limit is based on your IP address and is set to 1,000 requests per minute. The limit applies to each environment (sandbox and production) separately. If the limit is exceeded, responses will include an HTTP 429 status code along with a relevant message.

Scopes#

Scopes define the level of access a token will have to resources in Unit.

A list of all scopes within Unit:#

caution

Scopes that are related to fund movement are considered sensitive, and are highlighted in the table below. Scopes that require PCI compliance to access are highlighted in purple.

Any action that requires access to these scopes, must be protected by Two Factor Authentication. If you follow the best practice and use a Customer Token for such actions, Unit will execute the authentication for you. If you decide to use an Org Token, you will have to implement it yourself.

Resource	Read Scope	Write Scope	Accessible Using
Application	application	application-write	Org API token
Customer Token	customer-token	customer-toke-write	Org API token
Customers	customers	customers-write	Org API token, Customer Token
Customer Tags	--	customer-tags-write	Org API token, Customer Token
Accounts	accounts	accounts-write	Org API token, Customer Token
Cards	cards	cards-write	Org API token, Customer Token
Cards Sensitive	cards-sensitive	cards-sensitive-write	Customer Token
Transactions	transactions	transactions-write	Org API token, Customer Token
Authorizations	authorizations	--	Org API token, Customer Token
Statements	statements	--	Org API token, Customer Token
Payments	payments	payments-write	Org API token, Customer Token
Payments to a counterparty	--	payments-write-counterparty	Org API token, Customer Token
Payments ACH Debit	--	payments-write-ach-debit	Org API token, Customer Token
Counterparties	counterparties	counterparties-write	Org API token, Customer Token
Events	events	events-write	Org API token, Customer Token
Webhooks	webhooks	webhooks-write	Org API token
Authorization Requests	authorization-requests	authorization-requests-write	Org API token
Batch Releases	batch-releases	batch-releases-write	Org API token
Check Deposits	check-deposits	check-deposits-write	Org API token, Customer Token

info

By default, creating an Org API token through the Create Token Page on the Dashboard selects the recommended scopes for an Org API token.

Tags#

To help you manage, categorize and enrich resources, Unit allows you to attach your own metadata to them in the form of tags (key-value pairs). Common examples:

Attaching a my_customer_id tag to an application with a value that helps you connect the application to a unique customer identifier in your app.
Attaching a purpose tag to an account with a value such as tax, saving or checking.

{    "data": {        "type": "depositAccount",        "attributes": {        /// ...        "tags": {            "purpose": "tax",            "my_account_id": "b6f395c9-e58a-40a5-a5a4-901d603440b9"        }    },    /// ...}

Tag Support#

Resource Type	Tag Support
Applications	Yes
Application Forms	Yes
Authorizations	No
Authorization Requests	No
Cards	Yes
Check Deposits	Yes
Counterparties	No
Customers	Inherited from Application
Deposit Accounts	Yes
Fees	Yes
Payments	Yes
Statements	No
Transactions	Inherited from Payment

Tag Inheritance#

Unit currently allows you to attach tags to the following resources: application, application form, customer, deposit account and payment.

Two additional resources- customer and transaction- are always created as a result of you creating a parent resource (application and payment respectively). They therefore inherit all tags from their parent resource:

A customer resource inherits all the tags from the application that created it.
A transaction resource inherits all the tags from the payment that created it.

Searching by Tags#

The List operation under certain resources (such as Application, Customer or Payment) supports searching by tags. You can search by passing any number of key-value pairs. The response will include the resources whose tags contain the key-value pairs you specified, based on the principles of JSON containment.

Example uses:

Assume you attach 5 different tags to all applications you create on Unit. One of these tags is a my_customer_id tag that helps you connect every Unit application to a unique customer identifier in your app. To search for the application that belongs to a known customer, specify a key-value pair in the following way: { "my_customer_id": "b6f395c9-e58a-40a5-a5a4-901d603440b9" }
Assume you attach 4 different tags to all book transfers you create on Unit. Two of these tags are is_loan and number_of_repayments. To search for all loans that have four repayments, specify two key-value pairs in the following way: { "is_loan": "true", "number_of_repayments": "4" }

Updating Tags#

You can add, update or delete tags from resources with the tags attribute on their corresponding Update operation (for example, Update Deposit Account).

Unit follows the JSON Merge Patch RFC when updating the tags. In general:

To add or update a tag, specify its key and value.
To delete a tag, specify its key and null for the value.

Tag Constraints#

Maximum number of tags per resource: 15
Keys and values are case-sensitive
Key constraints: 128 characters consisting of letters, numbers and underscores
Value constraints: 256 characters

Full-Text Search#

The List operation under certain resources (such as Application, Customer or Transaction) supports full-text search, to help you find the desired resources more easily.

In particular, you can use full-text search to quickly build better end-customer experiences. An example would be adding a search box that lets end-customers search for transactions by merchant name (e.g. 'starbucks') when browsing transactions under their account.

Full-Text search rules:

unquoted text: text without quote marks will be converted into words separated by 'And' operators. Example: 'john doe' will search for a resource with the value 'john' and the value 'doe'.
OR: will be converted into words separated by the 'Or' operator. Example: 'john or doe' will search for a resource with either the value 'john' or the value 'doe'.
-: will be converted into the 'Not' operator. Example: 'john -doe' will search for a resource with the value 'john' and without the value 'doe'.

Pagination#

List operations on all resources (example: List Customers) return a list of resources.

To page through a long list, use the following two query parameters:

page[limit]: Limit the number of resources to be returned (between 1 and 1000). Defaults to 100 when no value is provided.
page[offset]: Number of resources to skip. Defaults to 0 when no value is provided.

Idempotency#

Some of our API operations support request idempotency, allowing you to call a sensitive operation multiple times and assume that its work will be done no more than once. You may use any string of up to 255 characters as an idempotency key (we recommend UUID version 4).

The guarantee of idempotency is crucial when an API call has failed without a clear reason and a retry is due. For example, if creating a payment does not succeed due to a network error, you can safely retry creating the payment, passing the same idempotency key and assume the payment will occur no more than once, regardless of the number of calls.

Idempotency keys are guaranteed effective for 48 hours from the time they're used successfully. After this time window, they will be recycled and existing keys will therefore be treated as new.

note

Idempotency keys are not shared between different API operations, so you could potentially use the same idempotency key for different types of operations, although we do not recommended it.

One exception here is debit card creation for which both physical card creation and virtual card creation are sharing the idempotency key.

Organization Accounts#

Organization accounts (also known as org accounts) are special-purpose accounts that Unit sets up to support your activities. Unlike deposit accounts, org accounts existing on the org level and not under your customers.

Common types of org accounts include:

Revenue account: the account that Unit automatically credits with your org's interchange, interest and payment revenues.
Reserve account: the account that Unit automatically debits for a range of situations, including disputes and ACH returns. This account requires an initial balance to be funded, and monthly recalculation to determine the reserve amount required based on risk.
Cash Advance account: the account that Unit clients may use in the case of offering cash advances to customer.
Clearing account
Batch account: see Batch Payments

Your org accounts can be accessed from the Unit Dashboard. You may also access data in org accounts programmatically, in the same way that you access data in deposit accounts (for example, by calling List Transactions).

note

Some types of organization accounts, such as batch accounts, are designed to be used for incoming and outgoing payments. Others, such as reserve accounts, offer limited payments functionality by design.

Changelog#

We publish a monthly review of all the newest updates and features added to the platform on our Changelog. Subscribe to our newsletter to receive monthly updates on platform an product changes, directly to your inbox.

Roadmap#

Check out our continuously updating public Roadmap to see what's planned for the coming months.